New REvil ransomware attack targets IT vendor Kaseya



This time, REvil malware has affected a wide range of IT management companies and compromised hundreds of their corporate clients.

The cybercriminal gang, believed to be operating in Eastern Europe or Russia, has targeted a key software vendor known as Kaseya, whose products are widely used by IT management companies, cybersecurity experts have said. .

President Joe Biden said on Saturday the U.S. government was unsure of who was behind the attack, but called on federal agencies to help with the response.

“The point is, I’ve asked the intelligence community to give me a deep dive into what happened and I’ll know better tomorrow. And if it’s with the knowledge and / or consequence of Russia, so I told Putin that we will get him to respond, ”Biden said, referring to his meeting with the Russian leader last month.

“We are not sure. The initial thought was not the Russian government but we are not yet sure,” he added.

This latest ransomware attack has already wiped out at least a dozen IT support companies that rely on Kaseya’s remote management tool called VSA, said Kyle Hanslovan, CEO of cybersecurity firm Huntress Labs.

In at least one case, Hanslovan said, the attackers demanded a ransom of $ 5 million.

The incident affects not only IT management companies, but also the business customers of those companies that have outsourced IT management to them, Hanslovan said. He estimated that up to 1,000 small and medium-sized businesses could be affected by piracy.

“It’s very new, and we don’t know the scale yet,” said Hanslovan.

In recent months, cybercriminals have increasingly targeted organizations that play critical roles in large parts of the US economy. A high-profile attack on Colonial Pipeline in May disrupted fuel shipments to gas stations throughout the East Coast, sparking widespread panic buying. The JBS cyberattack resulted in the temporary shutdown of its nine beef processing plants in the United States.

The latest attack, which unfolds quickly, has alarmed cybersecurity experts.

“If you are using Kaseya VSA, stop it * now * until you are told to turn it back on and launch (incident response)” tweeted Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security. In its own opinion, the CISA said it was working to understand and resolve the issue.

In a blog post, Kaseya said she shut down her cloud servers while investigating the VSA incident.

“We are investigating a potential VSA attack which indicates it has been limited to a small number of our on-site customers only,” Kaseya said. “We have proactively shut down our SaaS servers out of prudence. “

An analysis of the malware by cybersecurity firm Emsisoft shows that it was created by REvil, the ransomware gang that U.S. officials say compromised JBS Foods.

Meanwhile, three of the compromised IT service providers are among Huntress Labs’ own cybersecurity clients, Hanslovan said.

“We have firsthand knowledge of it now and we have confirmed that it is indeed REvil,” said Hanslovan.

As many as 200 of the three affected IT service provider customers were compromised by the malware, Hanslovan said.

The ransomware appears to have been secretly embedded in Kaseya VSA, which has helped spread the malware as VSA is used by IT companies to distribute software updates to their customers, Hanslovan said. It is not known how Kaseya’s software was first compromised.

This supply chain-type attack is similar to the tactic used by Russian hackers in the SolarWinds compromise, although in this case the malware was used to hijack victims’ networks rather than spy on them.

CNN’s Jason Hoffman contributed to this report.


Leave A Reply

Your email address will not be published.